diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index e9ee6438459..77e22bb4a15 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,6 +1,5 @@ -# newer versions go on top -- version: "0.0.1" +- version: "0.0.10" changes: - description: Fixed incorrect types in field.yml and cleaned up formatting type: enhancement - link: https://github.com/elastic/integrations/pull/6701 + link: https://github.com/joeperuzzi/integrations/pull/5 # FIXME Replace with the real PR link diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json index a968a6c9bcd..c374a3da522 100644 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json @@ -11,7 +11,7 @@ "host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb", "host.hostname": "DESKTOP-TIUKL1R", "host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "host.ip": "10.1.9.112", "host.ipv4": "10.1.9.112", "host.ipv6": "fe80::40d1:5287:42b9:5645", "host.mac": "00:0C:29:EF:9A:EB", diff --git a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json index d257f139cd7..9e0c2839baf 100644 --- a/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json +++ b/packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json @@ -1,93 +1,88 @@ { - "expected": [ - { - "@timestamp": "2023-07-06T19:09:34.276302828Z", - "ecs": { - "version": "8.8.0" - }, - "event": { - "category": [ - "vulnerability" - ], - "ingested": "2023-07-06T19:09:34.276302828Z", - "kind": "state", - "module": "tychon", - "outcome": "failure" - }, - "host": { - "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "domain": "", - "hardware": { - "bios": { - "name": "Phoenix Technologies LTD", - "version": "6.00" - }, - "cpu": { - "caption": "Intel64 Family 6 Model 45 Stepping 7" - }, - "manufacturer": "VMware, Inc.", - "owner": "dcuser", - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" - }, - "hostname": "DESKTOP-TIUKL1R", - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "ip": [ - "10.1.9.112", - "fe80::40d1:5287:42b9:5645" - ], - "mac": "00-0C-29-EF-9A-EB", - "oem": { - "manufacturer": "", - "model": "" - }, - "os": { - "build": "22000", - "description": "", - "family": "Windows", - "name": "Microsoft Windows 11 Education N", - "organization": "", - "version": "10.0.22000" - }, - "type": "Workstation", - "uptime": 145287, - "workgroup": "WORKGROUP" - }, - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", - "script": { - "current_duration": 315381.28, - "current_time": "2023-06-15T21:58:02Z", - "name": "Invoke-CveScan.ps1", - "start": "2023-06-15T21:52:47Z", - "type": "powershell", - "version": "0.1.0" - }, - "tychon": { - "ipv4": "10.1.9.112", - "ipv6": "fe80::40d1:5287:42b9:5645" - }, - "vulnerability": { - "category": [ - "oval" - ], - "classification": "cvss", - "enumeration": "CVE", - "iava": "2013-A-0227", - "iava_severity": "CAT II", - "id": "CVE-2013-3900", - "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", - "result": "fail", - "scanner": { - "vendor": "tychon" - }, - "score": { - "base": 7.6, - "version": "2.0" - }, - "severity": "HIGH", - "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", - "version": "1", - "year": 2013 - } - } - ] + "expected": [ + { + "@timestamp": "2023-07-28T18:14:38.394883461Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "vulnerability" + ], + "ingested": "2023-07-28T18:14:38.394883461Z", + "kind": "state", + "module": "tychon", + "outcome": "failure" + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": "10.1.9.112", + "ipv4": "10.1.9.112", + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00-0C-29-EF-9A-EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 145287, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900", + "script": { + "current_duration": 315381.28, + "current_time": "2023-06-15T21:58:02Z", + "name": "Invoke-CveScan.ps1", + "start": "2023-06-15T21:52:47Z", + "type": "powershell", + "version": "0.1.0" + }, + "vulnerability": { + "category": [ + "oval" + ], + "classification": "cvss", + "enumeration": "CVE", + "iava": "2013-A-0227", + "iava_severity": "CAT II", + "id": "CVE-2013-3900", + "reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900", + "result": "fail", + "scanner": { + "vendor": "tychon" + }, + "score": { + "base": 7.6, + "version": "2.0" + }, + "severity": "HIGH", + "title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ", + "version": "1", + "year": 2013 + } + } + ] } \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml index 3d436425afe..6f75d685144 100644 --- a/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml @@ -13,18 +13,6 @@ processors: - set: field: _id value: "{{id}}" - - set: - field: tychon.ipv4 - value: "{{host.ipv4}}" - - set: - field: tychon.ipv6 - value: "{{host.ipv6}}" - - remove: - ignore_missing: true - field: host.ipv4 - - remove: - ignore_missing: true - field: host.ipv6 - set: field: "@timestamp" value: "{{_ingest.timestamp}}" @@ -40,19 +28,19 @@ processors: - set: field: event.category value: [vulnerability] - - split: - field: host.ip - separator: "," - script: - source: if(ctx.vulnerability?.result == 'fail'){ + source: | + if(ctx.vulnerability?.result == 'fail'){ ctx.event.outcome = "failure" }else if(ctx.vulnerability?.result == 'pass'){ ctx.event.outcome = "success" }else{ ctx.event.outcome = "unknown" } - - script: - source: ctx.host.mac = ctx.host.mac.replace(':','-') + - gsub: + field: host.mac + pattern: ":" + replacement: "-" - set: field: event.ingested value: "{{_ingest.timestamp}}" @@ -87,4 +75,3 @@ on_failure: - append: field: error.message value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_cve/fields/agent.yml b/packages/tychon/data_stream/tychon_cve/fields/agent.yml index e380f9c03e8..4542034fdd6 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/agent.yml @@ -111,6 +111,14 @@ level: core type: ip description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. - name: mac level: core type: keyword diff --git a/packages/tychon/data_stream/tychon_cve/fields/fields.yml b/packages/tychon/data_stream/tychon_cve/fields/fields.yml index c3eb7390382..73e3f26b98b 100644 --- a/packages/tychon/data_stream/tychon_cve/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_cve/fields/fields.yml @@ -61,12 +61,3 @@ - name: version description: Elastic Agent Version. type: keyword -- name: tychon - type: group - fields: - - name: ipv4 - description: Ipv4 Address - type: ip - - name: ipv6 - description: Ipv6 Address - type: ip \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json index c2f3d10314c..0b8a26266de 100644 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json @@ -6,7 +6,7 @@ "windows_defender.service.antispyware.signature_version": "1.391.1546.0", "script.type": "powershell", "host.os.build": "22000", - "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "host.ip": "10.1.9.112", "windows_defender.service.antivirus.quick_scan.signature_version": "1.391.1470.0", "host.hostname": "DESKTOP-TIUKL1R", "host.hardware.manufacturer": "VMware, Inc.", diff --git a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json index 6fdd38e9ee3..51130b21f3d 100644 --- a/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json +++ b/packages/tychon/data_stream/tychon_epp/_dev/test/pipeline/test-epp.json-expected.json @@ -1,108 +1,103 @@ { - "expected": [ - { - "@timestamp": "2023-07-06T19:09:34.495470581Z", - "ecs": { - "version": "8.8.0" - }, - "event": { - "category": [ - "host" - ], - "ingested": "2023-07-06T19:09:34.495470581Z", - "kind": "state", - "module": "tychon" - }, - "host": { - "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "domain": "", - "hardware": { - "bios": { - "name": "Phoenix Technologies LTD", - "version": "6.00" - }, - "cpu": { - "caption": "Intel64 Family 6 Model 45 Stepping 7" - }, - "manufacturer": "VMware, Inc.", - "owner": "dcuser", - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" - }, - "hostname": "DESKTOP-TIUKL1R", - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "ip": [ - "10.1.9.112", - "fe80::40d1:5287:42b9:5645" - ], - "mac": "00-0C-29-EF-9A-EB", - "oem": { - "manufacturer": "", - "model": "" - }, - "os": { - "build": "22000", - "description": "", - "family": "Windows", - "name": "Microsoft Windows 11 Education N", - "organization": "", - "version": "10.0.22000" - }, - "type": "Workstation", - "uptime": 139304, - "workgroup": "WORKGROUP" - }, - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "script": { - "current_duration": 1129.2, - "current_time": "2023-06-15T20:13:04Z", - "name": "Get-TychonEppSetting.ps1", - "start": "2023-06-15T20:13:03Z", - "type": "powershell", - "version": "0.1.0" - }, - "tychon": { + "expected": [ + { + "@timestamp": "2023-07-28T18:14:38.878742881Z", + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "host" + ], + "ingested": "2023-07-28T18:14:38.878742881Z", + "kind": "state", + "module": "tychon" + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": "10.1.9.112", "ipv4": "10.1.9.112", - "ipv6": "fe80::40d1:5287:42b9:5645" + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00-0C-29-EF-9A-EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 139304, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "script": { + "current_duration": 1129.2, + "current_time": "2023-06-15T20:13:04Z", + "name": "Get-TychonEppSetting.ps1", + "start": "2023-06-15T20:13:03Z", + "type": "powershell", + "version": "0.1.0" }, - "windows_defender": { - "service": { - "antimalware": { - "engine_version": "1.1.23050.3", - "product_version": "4.18.23050.5", - "status": "Enabled" - }, - "antispyware": { - "signature_version": "1.391.1546.0", - "status": "Enabled" - }, - "antivirus": { - "full_scan": { - "signature_version": "" - }, - "quick_scan": { - "signature_version": "1.391.1470.0" - }, - "status": "Enabled" - }, - "behavior_monitor": { - "status": "Enabled" - }, - "ioav_protection": { - "status": "Enabled" - }, - "nis": { - "engine_version": "1.1.23050.3", - "signature_version": "1.391.1546.0", - "status": "Enabled" - }, - "on_access_protection": { - "status": "Enabled" - }, - "real_time_protection": { - "status": "Enabled" - } - } - } - } - ] -} \ No newline at end of file + "windows_defender": { + "service": { + "antimalware": { + "engine_version": "1.1.23050.3", + "product_version": "4.18.23050.5", + "status": "Enabled" + }, + "antispyware": { + "signature_version": "1.391.1546.0", + "status": "Enabled" + }, + "antivirus": { + "full_scan": { + "signature_version": "" + }, + "quick_scan": { + "signature_version": "1.391.1470.0" + }, + "status": "Enabled" + }, + "behavior_monitor": { + "status": "Enabled" + }, + "ioav_protection": { + "status": "Enabled" + }, + "nis": { + "engine_version": "1.1.23050.3", + "signature_version": "1.391.1546.0", + "status": "Enabled" + }, + "on_access_protection": { + "status": "Enabled" + }, + "real_time_protection": { + "status": "Enabled" + } + } + } + } + ] +} diff --git a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml index 3755254cfac..cb5c6ab2f5b 100644 --- a/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_epp/elasticsearch/ingest_pipeline/default.yml @@ -13,21 +13,6 @@ processors: - set: field: '_id' value: '{{id}}' - - split: - field: host.ip - separator: "," - - set: - field: tychon.ipv4 - value: "{{host.ipv4}}" - - set: - field: tychon.ipv6 - value: "{{host.ipv6}}" - - remove: - ignore_missing: true - field: host.ipv4 - - remove: - ignore_missing: true - field: host.ipv6 - set: field: '@timestamp' value: '{{_ingest.timestamp}}' @@ -49,8 +34,10 @@ processors: - convert: field: host.uptime type: long - - script: - source: ctx.host.mac = ctx.host.mac.replace(':','-') + - gsub: + field: host.mac + pattern: ":" + replacement: "-" - convert: field: script.current_duration type: float @@ -61,4 +48,3 @@ on_failure: - append: field: error.message value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_epp/fields/agent.yml b/packages/tychon/data_stream/tychon_epp/fields/agent.yml index e380f9c03e8..4542034fdd6 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/agent.yml @@ -111,6 +111,14 @@ level: core type: ip description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. - name: mac level: core type: keyword diff --git a/packages/tychon/data_stream/tychon_epp/fields/fields.yml b/packages/tychon/data_stream/tychon_epp/fields/fields.yml index db5c5ab7cb4..4b80ceabc31 100644 --- a/packages/tychon/data_stream/tychon_epp/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_epp/fields/fields.yml @@ -101,12 +101,9 @@ - name: version description: Elastic Agent Version. type: keyword -- name: tychon - type: group - fields: - - name: ipv4 - description: Ipv4 Address - type: ip - - name: ipv6 - description: Ipv6 Address - type: ip +- name: host.epp.product + description: Epp products installed + type: keyword +- name: host.trellix.product + description: trellix products installed + type: keyword diff --git a/packages/tychon/data_stream/tychon_epp/manifest.yml b/packages/tychon/data_stream/tychon_epp/manifest.yml index 021373c406c..c7770ac7802 100644 --- a/packages/tychon/data_stream/tychon_epp/manifest.yml +++ b/packages/tychon/data_stream/tychon_epp/manifest.yml @@ -30,4 +30,3 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json index a57731c428a..d8b1adf8574 100644 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json @@ -9,7 +9,7 @@ "rule.oval.refid": "", "script.type": "powershell", "host.os.build": "22000", - "host.ip": "10.1.9.112,fe80::40d1:5287:42b9:5645", + "host.ip": "10.1.9.112", "rule.name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", "script.version": "0.1.0", "host.hostname": "DESKTOP-TIUKL1R", diff --git a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json index a4908d5faa2..8f7e9630636 100644 --- a/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json +++ b/packages/tychon/data_stream/tychon_stig/_dev/test/pipeline/test-stig.json-expected.json @@ -1,103 +1,98 @@ { - "expected": [ - { - "@timestamp": "2023-07-06T19:09:34.703782139Z", - "benchmark": { - "generated_utc": "2023-03-28T17:40:48", - "guid": "", - "hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", - "name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", - "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", - "version": "1.2" - }, - "ecs": { - "version": "8.8.0" - }, - "event": { - "category": [ - "host" - ], - "ingested": "2023-07-06T19:09:34.703782139Z", - "kind": "state", - "module": "tychon" - }, - "host": { - "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", - "domain": "", - "hardware": { - "bios": { - "name": "Phoenix Technologies LTD", - "version": "6.00" - }, - "cpu": { - "caption": "Intel64 Family 6 Model 45 Stepping 7" - }, - "manufacturer": "VMware, Inc.", - "owner": "dcuser", - "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" - }, - "hostname": "DESKTOP-TIUKL1R", - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", - "ip": [ - "10.1.9.112", - "fe80::40d1:5287:42b9:5645" - ], - "mac": "00-0C-29-EF-9A-EB", - "oem": { - "manufacturer": "", - "model": "" - }, - "os": { - "build": "22000", - "description": "", - "family": "Windows", - "name": "Microsoft Windows 11 Education N", - "organization": "", - "version": "10.0.22000" - }, - "type": "Workstation", - "uptime": 139370, - "workgroup": "WORKGROUP" - }, - "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", - "oval": { - "class": "compliance", - "id": "oval:mil.disa.stig.windows11:def:253254", - "refid": "" - }, - "rule": { - "benchmark": { - "guid": "", - "profile": { - "id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules" - }, - "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml" - }, - "finding_id": "", - "id": "", - "name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", - "oval": { - "class": "compliance", - "id": "oval:mil.disa.stig.windows11:def:253254", - "refid": "" - }, - "result": "not applicable", - "severity": "medium", - "title": "", - "weight": 10.0 - }, - "script": { - "current_duration": 324194.34, - "current_time": "2023-06-15T20:19:35Z", - "name": "Invoke-TychonStigBenchmarkScan.ps1", - "start": "2023-06-15T20:14:11Z", - "type": "powershell", - "version": "0.1.0" - }, - "tychon": { + "expected": [ + { + "@timestamp": "2023-07-28T18:14:39.219921509Z", + "benchmark": { + "generated_utc": "2023-03-28T17:40:48", + "guid": "", + "hash": "B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "name": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml", + "version": "1.2" + }, + "ecs": { + "version": "8.8.0" + }, + "event": { + "category": [ + "host" + ], + "ingested": "2023-07-28T18:14:39.219921509Z", + "kind": "state", + "module": "tychon" + }, + "host": { + "biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB", + "domain": "", + "hardware": { + "bios": { + "name": "Phoenix Technologies LTD", + "version": "6.00" + }, + "cpu": { + "caption": "Intel64 Family 6 Model 45 Stepping 7" + }, + "manufacturer": "VMware, Inc.", + "owner": "dcuser", + "serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb" + }, + "hostname": "DESKTOP-TIUKL1R", + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP", + "ip": "10.1.9.112", "ipv4": "10.1.9.112", - "ipv6": "fe80::40d1:5287:42b9:5645" + "ipv6": "fe80::40d1:5287:42b9:5645", + "mac": "00-0C-29-EF-9A-EB", + "oem": { + "manufacturer": "", + "model": "" + }, + "os": { + "build": "22000", + "description": "", + "family": "Windows", + "name": "Microsoft Windows 11 Education N", + "organization": "", + "version": "10.0.22000" + }, + "type": "Workstation", + "uptime": 139370, + "workgroup": "WORKGROUP" + }, + "id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_oval:mil.disa.stig.windows11:def:253254_B5876182441699AE4B0B035ED3907DA0898FCA4BDE607D5320342F1862DE0379", + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.windows11:def:253254", + "refid": "" + }, + "rule": { + "benchmark": { + "guid": "", + "profile": { + "id": "xccdf_mil.disa.stig_profile_Disable_Slow_Rules" + }, + "title": "scap_mil.disa.stig_cref_U_MS_Windows_11_V1R2_STIG_SCAP_1-2_Benchmark-xccdf.xml" + }, + "finding_id": "", + "id": "", + "name": "xccdf_mil.disa.stig_rule_SV-253254r828846_rule", + "oval": { + "class": "compliance", + "id": "oval:mil.disa.stig.windows11:def:253254", + "refid": "" + }, + "result": "not applicable", + "severity": "medium", + "title": "", + "weight": 10.0 + }, + "script": { + "current_duration": 324194.34, + "current_time": "2023-06-15T20:19:35Z", + "name": "Invoke-TychonStigBenchmarkScan.ps1", + "start": "2023-06-15T20:14:11Z", + "type": "powershell", + "version": "0.1.0" } - } - ] -} \ No newline at end of file + } + ] +} diff --git a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml index 7c49c153c69..41c4482de43 100644 --- a/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml +++ b/packages/tychon/data_stream/tychon_stig/elasticsearch/ingest_pipeline/default.yml @@ -42,26 +42,18 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' - - split: - field: host.ip - separator: "," - - set: - field: tychon.ipv4 - value: "{{host.ipv4}}" - - set: - field: tychon.ipv6 - value: "{{host.ipv6}}" - - remove: - ignore_missing: true - field: host.ipv4 - - remove: - ignore_missing: true - field: host.ipv6 - convert: field: host.uptime type: long - script: source: ctx.host.mac = ctx.host.mac.replace(':','-') + - convert: + field: host.uptime + type: long + - gsub: + field: host.mac + pattern: ":" + replacement: "-" - convert: field: script.current_duration type: float @@ -75,4 +67,3 @@ on_failure: - append: field: error.message value: '{{{ _ingest.on_failure_message }}}' - \ No newline at end of file diff --git a/packages/tychon/data_stream/tychon_stig/fields/agent.yml b/packages/tychon/data_stream/tychon_stig/fields/agent.yml index e380f9c03e8..4542034fdd6 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/agent.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/agent.yml @@ -111,6 +111,14 @@ level: core type: ip description: Host ip addresses. + - name: ipv4 + level: core + type: keyword + description: Host ip v4 addresses. + - name: ipv6 + level: core + type: keyword + description: Host ip v6 addresses. - name: mac level: core type: keyword diff --git a/packages/tychon/data_stream/tychon_stig/fields/fields.yml b/packages/tychon/data_stream/tychon_stig/fields/fields.yml index 937f9ed5bde..864e77b3f8f 100644 --- a/packages/tychon/data_stream/tychon_stig/fields/fields.yml +++ b/packages/tychon/data_stream/tychon_stig/fields/fields.yml @@ -49,15 +49,21 @@ - name: finding_id description: Benchmark Rule Finding Identifier. type: keyword + - name: result + description: Benchmark Rule Results. + type: keyword - name: severity description: Benchmark Severity Status. type: keyword - - name: result - description: Benchmark Rule Results. + - name: stig_id + description: Stig rule id type: keyword - name: title description: Benchmark Rule Title. type: keyword + - name: vulnerability_id + description: Rule vulnerability id. + type: keyword - name: weight description: Benchmark Rule Weight. type: float @@ -118,12 +124,3 @@ - name: version description: Elastic Agent Version. type: keyword -- name: tychon - type: group - fields: - - name: ipv4 - description: Ipv4 Address - type: ip - - name: ipv6 - description: Ipv6 Address - type: ip diff --git a/packages/tychon/data_stream/tychon_stig/manifest.yml b/packages/tychon/data_stream/tychon_stig/manifest.yml index e4d2129d452..10c1782b32e 100644 --- a/packages/tychon/data_stream/tychon_stig/manifest.yml +++ b/packages/tychon/data_stream/tychon_stig/manifest.yml @@ -30,4 +30,3 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 429b6843ba6..c601df86679 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -32,4 +32,4 @@ policy_templates: title: Tychon description: Tychon owner: - github: elastic/security-external-integrations + github: elastic/integrations